I have an customer with pix versions 8. They are part of an monitoring setup. This application works with http traffic (web services) over an non-standard port. The pix is configured with the usual Acl, static and the default inspection rules.
This setup did work with version 7.x. Now is it updated and it doesn't pass traffic. The hitcount on my Acl also doesn't increase.
This problem occurs on an Pix v.8 and with an other customer on Asa v.8.
Is there any way to test and pass-through traffic on non-standard ports?
Are you refering inbound traffic for particualr web server on inside? if this is correct it is assumed you have specify non-standard ports on your acl and the other end specify the non-standard port in their app query connecting to server.
the way to test from outside is simple telnet test.
telnet x.x.x.x PORT#
are any other inbound similar http services with proper static nat translations working? if the answer is no make sure you have "no sysopt noproxyarp outside"
I tried the "no sysopt noproxyarp outside" but it did not resolve the issue.
In the setup at the customer site are also some DMZ services, which are fully functional. I am also able to telnet to the non-standard port from outside, but the monitor app doesn't connect. There are no hits on the Acl, en no connections in the "show conn".
Can it have something to do with the policy-maps ?
if you can hit the non-standard port from outside fine I would suspect is the monitor application, perhaps the monitor app requires TCP port range to be opened. When the monitor app client from outside queries the monitor server can you see if it hits the firewall outside interface at all? Did you do the telnet test from the monitor app? policy-maps application inspection is a possibility.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...